Millions of Instagram influencers had their contact data scraped and exposed

A massive database containing contact information of millions of Instagram influencers, celebrities and brand accounts has been found online.

The database, hosted by Amazon Web Services, was left exposed and without a password allowing anyone to look inside. At the time of writing, the database had over 49 million records — but was growing by the hour.

From a brief review of the data, each record contained public data scraped from influencer Instagram accounts, including their bio, profile picture, the number of followers they have, if they’re verified and their location by city and country, but also contained their personal contact information, such as the Instagram account owner’s email address and phone number.

Security researcher Anurag Sen discovered the database and alerted TechCrunch in an effort to find the owner and get the database secured. We traced the database back to Mumbai-based social media marketing firm Chtrbox, which pays influencers to post sponsored content on their accounts. The records contained data that calculated the worth of each account, based off the number of followers, engagement, reach, likes and shares they had. This was used as a metric to determine how much the company could pay an Instagram celebrity or influencer to post an ad.

TechCrunch found several high-profile influencers in the exposed database, including prominent food bloggers, celebrities and other social media influencers.

We contacted several people at random whose information was found in the database and provided them their phone numbers. Two of the people responded and confirmed their email address and phone number found in the database was used to set up their Instagram accounts. Neither had any involvement with Chtrbox, they said.

Shortly after we reached out, Chtrbox pulled the database offline. Pranay Swarup, the company’s founder and chief executive, did not respond to a request for comment and several questions, including how the company obtained personal Instagram account email addresses and phone numbers. Later in a tweet, Chtrbox disputed the number of people affected and claimed no more than 350,000 influencers were affected. Chtrbox also said database was only open for 72 hours, but the researcher confirmed the database was first detected on Shodan, a search engine for exposed databases and devices, on May 14.

Months later, Instagram — now with more than a billion users — choked its API to limit the number of requests apps and developers can make on the platform.

Facebook, which owns Instagram, later said it disputed the report.

“We take any allegation of data misuse seriously. Following an initial investigation into the claims made in this story, we found that no private emails or phone numbers of Instagram users were accessed,” said an Instagram spokesperson. “Chtrbox’s database had publicly available information from many sources, one of which was Instagram. Chtrbox also clarified that the database contained information for 350,000 people, not 49 million as has been reported,”

“We’re looking into the issue to understand if the data described – including email and phone numbers – was from Instagram or from other sources,” said an updated statement. “We’re also inquiring with Chtrbox to understand where this data came from and how it became publicly available,” it added.

Updated on 5/23 with additional comments from Facebook and a statement from Chtrbox. We have also updated the wording of the article to note that email addresses and phone numbers in the database are personal information but may have been set to public by the users.

Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755–8849. You can also send PGP email with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.